Multi-layered user authentication at HDFC Bank for NetBanking safety

Online banking has become a major customer interface for HDFC Bank Ltd.'s multi-channel strategy over the years. Internet banking will constitute approximately 28% of HDFC Bank's overall transactions in fiscal year 2009-10. While this translates into many tangible benefits for the bank, it has brought in various online fraud threats like phishing, pharming and Trojan attacks. Hence, HDFC Bank took the call to move beyond traditional customer authentication methods.

As Vishal Salvi, the chief information security officer of HDFC Bank says, the primary business objective was to reduce online fraud and the number of attacks. Other objectives included increasing customer confidence and creating overall trust for the channel.

Salvi and his team wanted to ensure additional layers of security for better fraud detection and proactive mitigation of phishing attacks. So the bank implemented a multi-layered security control approach for NetBanking. This included

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

deployment of the RSA Identity Protection and Verification Suite's layered components, as well as other measures.

According to Salvi, the new security layers called for additional infrastructure to complement the existing authentication mechanisms. Since another circle of controls was created over the NetBanking core, integration and screen development work was required between HDFC Bank's systems and the RSA system.

The project began in October 2008, and HDFC Bank started using the new security mechanisms in January. Since the risk engine used for fraud detection learns over a period of time, the organization initially had a high rate of false positives. "Incidents of false positives have improved to a very large extent, and there are very few incidents at present," Salvi says.

Log in (before and after)

HDFC Bank uses the RSA FraudAction service to gain visibility of emerging security threats such as phishing and Trojan attacks. According to Salvi, this is the first line of defense for the bank.

Virtual keyboards (not an RSA solution) ensure that the passwords of HDFC Bank's NetBanking customers do not fall prey to phishing attacks during log in. This acts as the second layer of defense.

Site-to-user authentication (using RSA Adaptive Authentication) acts as the third protection layer for HDFC Bank's NetBanking customers. This is achieved by displaying an image and caption (preselected by the customer) after log in to verify the website's legitimacy. "It's very difficult for a phisher to replicate the same image and pass code for every individual user. This gives confidence to the users that they are going into a genuine site," Salvi says.

The fourth layer of protection is activated for high-value transactions like adding a payee. As part of this step, the customer is asked challenge questions (pre-defined by the user) to verify his identity.

Another layer of defense that has been incorporated is an out-of-band one-time password accompanied by an automated call initiated on the customer's pre-defined cell phone. The transaction goes through once the customer gets a call, receives the code and enters it on his phone. All these layers have also been implemented using RSA Adaptive Authentication.

HDFC Bank's sixth layer of protection for NetBanking customers uses RSA Adaptive Authentication's risk engine, which helps the company score transactions according to the risk profile. According to Salvi, every control used in the different security layers for NetBanking is governed by a policy. Since these policies are not hard-coded, they can be modified depending on the changing threat scenario.

Going forward

Salvi claims that HDFC Bank has witnessed an 85% to 90% decline in phishing attacks since deployment of the new security layers. "According to recently released Reserve Bank of India figures, there has been an increase in the number of phishing attacks on Indian banks. However, we have actually seen a steep decline in the number of attacks against us," Salvi says.

This encouraging trend has resulted in Salvi and his team extending the scope of security from just third-party transfers to direct payments -- the protection will extend to HDFC Bank customers' credit and debit card payments as well. "Although the risk is much lesser for direct payments since the transactions can be traced, we still want to include that in the scope," Salvi says.

SearchMidmarketSecurity.com’s tutorials offer IT professionals in-depth lessons and technical advice on the hottest topics in the midmarket IT security industry. Through our tutorials we seek to provide site members with the foundational knowledge needed to deal with the increasingly challenging job of keeping their organizations secure.